cryptostorm's community forum

Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

I was just about to tweet how great it is that you folks are exploring blockchain-based tech, but then I tried to use your resolvers and see that they're not resolving .bit domains. Am I missing some instructions somewhere?

Which OS are you running? (please say Linux, lol) Seriously though, likely what's happening is that you are not using the DNS resolver on the node you're connected to. Try going to sites such as http://forum.i2p or https://3g2upl4pq6kufc4m.onion, and let us know if you are successful.

Sorry folks I thought I would get email replies but either they're not working or I forgot to check "Notify me when a reply is posted".

I'm using OS X, but it shouldn't matter, right? Are these private resolvers that can only be accessed via VPN? I was using some IP address that I saw in a tweet from @cryptostorm_is. How should I test?

Are you setting a DNS manually? If so, then remove it. Let the OpenVPN server push the correct DNS server IP to you.

Is there a way I can verify that the service is using DNSChain without having to pay for VPN access? If I can verify it, then I can give the cryptostorm_is folks a shoutout from either @okTurtles or @DNSChain.

This looks useful, but don't you lose a layer of protection without the Tor brower bundle? Fingerprinting? I'm already a NoScript / Privacy Badger / Ghostery user with the obvious IP leaks plugged (WebRTC, IPv6), but there's also the fact that my browser is still unique on https://panopticlick.eff.org/ when I enable javascript, and Javascript is pretty much necessary to use any modern functional website (including some onion sites).

Doesn't seem like there's been a forum discussion on whether having transparent access to onion sites is something that should be this easy to access. Realistically, what kind of security risks are there?

Obviously, this feature is optional and practically impossible to accidentally access, but I just think it bears discussion.

Looks like the forums go deeper than I thought.

torstorm/ for anyone who is searching for the threat model analysis and further explanation. Is this stickied?

I'm not sure how accurate that forum thread/post is since it was written in 2014, but I'm pretty sure it's referring to our torstorm service provided via https://torstorm.org/ , which is a different thing than our transparent .onion access we provide to VPN clients.

Torstorm is a free service provided for the public, and works the same as any other onion2web service.
You would use it by replacing (using the DuckDuckGo .onion for example) http://3g2upl4pq6kufc4m.onion/ with https://3g2upl4pq6kufc4m.torstorm.org/ etc.
A CS account isn't required to use the torstorm service.
The nginx/lua setup that powers it does a few extra things to help keep users anonymous, like randomly changing everyone's user agent, and automatically removing any JS code that looks like it's trying to exploit the WebRTC vuln, no logging, and some other stuff that I'm probably forgetting.

It's different than the transparent .onion access CS provides, which is a feature that we don't really have a name for.
With torstorm, you get access to .onion sites from the clearnet.
With the transparent .onion feature, the request goes from you to the Tor instance running on the VPN server via the VPN tunnel, which means it doesn't involve the clearnet.
It's a little more secure/anonymous than using Tor directly on your own system (much faster too), but it does require a degree of trust towards CS because it puts us in a position where we could monitor your .onion traffic if we chose to (we never will, but there's no way for us to prove that we're not doing that).

If a customer doesn't want to use the service but still needs to access a .onion site while on CS, using Tor Browser would be the easiest way.
The transparent .onion feature uses what's basically DNS hijacking in order to redirect all .onion hosts to an IP in the 10.99.0.0/16 range (set by our server-side Tor's "VirtualAddrNetworkIPv4 10.99.0.0/16").
So as long as you set Tor Browser (or whichever browser you use) to send DNS requests to the socks server your Tor instance is running, then the CS transparent .onion feature will be unable to see your DNS request and change it to our Tor instance.

Not that I'm aware of, but the use of DeepDNS should be transparent to you, once connected. You may have to enable resolution of .onion URIs in your browser of choice, but outside of that it should Just Work.

Well, for me I downloaded a script which is at https://github.com/cryptostorm-dev/csto ... tostorm.sh. First, I connect to the internet. After I get connected to the internet/cryptostorm, I run the script as root. Then no more DNS leak. Only thing is if you get disconnected, you may have to flush your iptables or just restarting your computer will clear the iptables also. Anything else? I've also downloaded shorewall and although I have not set it up yet, it may work better for the disconnection issue because it is supposed to load and unload iptable configurations with a compile/execute method. I know firewalld does it on the fly, but haven't set that up either so far. It is a more involving process to setup, but probably worth the effort if/when I get around to it.

Edit: I just found a better post than mine from Fermi. Go to viewtopic.php?f=32&t=9298. There you will find more about this; although my post is kinda right, he has the solution for making it persistent across bootups. Hope this helped!

I have no access to Tor TLD’s like .onion.
I use the last widget on two computers, Win7 and Win10.
I enabled ‘network.proxy.socks_remote_dns’ in Firefox.
I’m probably missing something, do I have to install or configure something?